## Indexer Security Group
#
# Summary:
#   Ingress:
#     tcp/8088      - Splunk HEC                 - (local.data_sources) Entire VPC + var.additional_source + var.splunk_legacy_cidr
#   Egress:
#     tcp/8088      - Splunk HEC

# Defined in security-group-indexers.tf:
#locals {
#  splunk_vpc_cidrs = toset(concat(var.splunk_legacy_cidr, [ var.vpc_cidr ]))
#  access_cidrs     = toset(concat(var.cidr_map["bastions"], var.cidr_map["vpns"]))
#  data_sources     = toset(concat(tolist(local.splunk_vpc_cidrs), var.splunk_data_sources))
#}

resource "aws_security_group" "hec_elb_security_group" {
  name = "hec_elb_security_group"
  description = "Security Group for HEC ELBs (both ack and non-ack)"
  vpc_id = var.vpc_id
  tags = merge(var.standard_tags, var.tags, { "Name" = "hec_elb_security_group" })
}

## Ingress
resource "aws_security_group_rule" "hec-https-in" {
  count             = local.is_moose ? 1 : 0
  description       = "HEC port - HTTPS for moose only"
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.hec_elb_security_group.id
}

resource "aws_security_group_rule" "hec-in" {
  description       = "HEC port in"
  type              = "ingress"
  from_port         = 8088
  to_port           = 8088
  protocol          = "tcp"
  cidr_blocks       = [ "0.0.0.0/0" ]
  security_group_id = aws_security_group.hec_elb_security_group.id
}

## Egress
resource "aws_security_group_rule" "hec-out" {
  description       = "HEC to the indexers"
  type              = "egress"
  from_port         = 8088
  to_port           = 8088
  protocol          = "tcp"
  cidr_blocks       = local.splunk_vpc_cidrs
  security_group_id = aws_security_group.hec_elb_security_group.id
}